limit-value: Specifies the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds. It ranges from 2 to 1024.

Description

Use arp source-suppression limit to set the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds.

Use undo arp source-suppression limit to restore the default value, which is 10.

With this feature configured, whenever the number of packets with unresolvable destination IP addresses from a host within five seconds exceeds the specified threshold, the device suppresses the sending host from triggering any ARP requests within the following five seconds.

Related commands: display arp source-suppression.

Examples

# Set the maximum number of packets with the same source address but unresolvable destination IP addresses that the device can receive in five seconds to 100.

<Sysname> system-view

[Sysname] arp source-suppression limit 100

display arp source-suppression

Syntax

display arp source-suppression [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display arp source-suppression to display information about the current ARP source suppression configuration.

Examples

# Display information about the current ARP source suppression configuration.

<Sysname> display arp source-suppression

ARP source suppression is enabled

Current suppression limit: 100

Current cache length: 16

Table 1 Command output

Field	Description
ARP source suppression is enabled	The ARP source suppression function is enabled.
Current suppression limit	Maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds.
Current cache length	Size of cache used to record source suppression information.

ARP packet rate limit configuration commands

arp rate-limit (interface view)

Syntax

arp rate-limit { disable | rate pps drop }

undo arp rate-limit

View

Layer 2 Ethernet interface view, Layer 2 aggregate interface view, WLAN-ESS interface view

Default level

2: System level

Parameters

disable: Disables ARP packet rate limit.

rate pps: ARP packet rate, ranging from 5 to 3072 pps.

drop: Discards the exceeded packets.

Description

Use arp rate-limit to configure ARP packet rate limit on an interface.

Use undo arp rate-limit to restore the default.

By default, ARP packet rate limit is disabled.

Examples

# Specify the ARP packet rate on GigabitEthernet 1/0/1 as 50 pps, and exceeded packets will be discarded.

<Sysname> system-view

[Sysname] interface GigabitEthernet 1/0/1

[Sysname- GigabitEthernet1/0/1] arp rate-limit rate 50 drop

Source mac address based ARP attack detection configuration commands

arp anti-attack source-mac

Syntax

arp anti-attack source-mac { filter | monitor }

undo arp anti-attack source-mac [ filter | monitor ]

View

System view

Default level

2: System level

Parameters

filter: Specifies the filter mode.

monitor: Specifies the monitor mode.

Description

Use arp anti-attack source-mac to enable source MAC address based ARP attack detection and specify the detection mode.

Use undo arp anti-attack source-mac to restore the default.

By default, source MAC address based ARP attack detection is disabled.

After you enable this feature, the device checks the source MAC address of ARP packets received from the VLAN. If the number of ARP packets received from a source MAC address within five seconds exceeds the specified threshold:

· In filter detection mode, the device displays a log message and filters out the ARP packets from the MAC address.

· In monitor detection mode, the device only displays a log message.

If no detection mode is specified in the undo arp anti-attack source-mac command, both detection modes are disabled.

Examples

# Enable filter-mode source MAC address based ARP attack detection.

<Sysname> system-view

[Sysname] arp anti-attack source-mac filter

arp anti-attack source-mac aging-time

Syntax

arp anti-attack source-mac aging-time time

undo arp anti-attack source-mac aging-time

View

System view

Default level

2: System level

Parameters

time: Age timer for protected MAC addresses, in the range of 60 to 6000 seconds.

Description

Use arp anti-attack source-mac aging-time to configure the age timer for protected MAC addresses.

Use undo arp anti-attack source-mac aging-time to restore the default.

By default, the age timer for protected MAC addresses is 300 seconds (five minutes).

Examples

# Configure the age timer for protected MAC addresses as 60 seconds.

<Sysname> system-view

[Sysname] arp anti-attack source-mac aging-time 60

arp anti-attack source-mac exclude-mac

Syntax

arp anti-attack source-mac exclude-mac mac-address&<1-10>

undo arp anti-attack source-mac exclude-mac [ mac-address&<1-10> ]

View

System view

Default level

2: System level

Parameters

mac-address&<1-10>: MAC address list. The mac-address argument indicates a protected MAC address in the format H-H-H. &<1-10> indicates up to ten protected MAC addresses that you can configure.

Description

Use arp anti-attack source-mac exclude-mac to configure protected MAC addresses which will be excluded from ARP packet detection.

Use undo arp anti-attack source-mac exclude-mac to remove the configured protected MAC addresses.

By default, no protected MAC address is configured.

If no MAC address is specified in the undo arp anti-attack source-mac exclude-mac command, all the configured protected MAC addresses are removed.

Examples

# Configure a protected MAC address.

<Sysname> system-view

[Sysname] arp anti-attack source-mac exclude-mac 2-2-2

arp anti-attack source-mac threshold

Syntax

arp anti-attack source-mac threshold threshold-value

undo arp anti-attack source-mac threshold

View

System view

Default level

2: System level

Parameters

threshold-value: Threshold for source MAC address based ARP attack detection, ranging from 10 to 100.

Description

Use arp anti-attack source-mac threshold to configure the threshold for source MAC address based ARP attack detection. If the number of ARP packets sourced from a MAC address within five seconds exceeds this threshold, the device considers this an attack.

Use undo arp anti-attack source-mac threshold to restore the default.

By default, up to 50 ARP packets can be received from a MAC address within five seconds.

Examples

# Configure the threshold for source MAC address based ARP attack detection as 30.

<Sysname> system-view

[Sysname] arp anti-attack source-mac threshold 30

display arp anti-attack source-mac

Syntax

display arp anti-attack source-mac [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

interface interface-type interface-number: Displays attacking MAC addresses detected on the interface.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display arp anti-attack source-mac to display attacking MAC addresses detected by source MAC address based ARP attack detection.

If no interface is specified, the display arp anti-attack source-mac command displays attacking MAC addresses detected on all the interfaces.

Examples

# Display the attacking MAC addresses detected by source MAC address based ARP attack detection.

<Sysname> display arp anti-attack source-mac

Source-MAC VLAN ID Interface Aging-time

23f3-1122-3344 4094 GE1/0/1 10

23f3-1122-3355 4094 GE1/0/2 30

23f3-1122-33ff 4094 GE1/0/3 25

23f3-1122-33ad 4094 GE1/0/4 30

23f3-1122-33ce 4094 GE1/0/5 2

ARP packet source mac address consistency check configuration commands

arp anti-attack valid-ack enable

Syntax

arp anti-attack valid-check enable

undo arp anti-attack valid-check enable

View

System view

Default level

2: System level

Parameters

None

Description

Use arp anti-attack valid-check enable to enable ARP packet source MAC address consistency check on the gateway. After you execute this command, the gateway device can filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message.

Use undo arp anti-attack valid-check enable to restore the default.

By default, ARP packet source MAC address consistency check is disabled.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp anti-attack valid-check enable

ARP active acknowledgement configuration commands

arp anti-attack active-ack enable

Syntax

arp anti-attack active-ack enable

undo arp anti-attack active-ack enable

View

System view

Default level

2: System level

Parameters

None

Description

Use arp anti-attack active-ack enable to enable the ARP active acknowledgement function.

Use undo arp anti-attack active-ack enable to restore the default.

By default, the ARP active acknowledgement function is disabled.

This feature is configured on gateway devices to identify invalid ARP packets.

Examples

# Enable the ARP active acknowledgement function.

<Sysname> system-view

[Sysname] arp anti-attack active-ack enable

ARP detection configuration commands

arp detection enable

Syntax

arp detection enable

undo arp detection enable

View

VLAN view

Default level

2: System level

Parameters

None

Description

Use arp detection enable to enable ARP detection for the VLAN.

Use undo arp detection enable to restore the default.

By default, ARP detection is disabled for a VLAN.

Examples

# Enable ARP detection for VLAN 1.

<Sysname> system-view

[Sysname] vlan 1

[Sysname-Vlan1] arp detection enable

arp detection trust

Syntax

arp detection trust

undo arp detection trust

View

Layer 2 Ethernet port view, WLAN-ESS interface view

Default level

2: System level

Parameters

None

Description

Use arp detection trust to configure the port as an ARP trusted port.

Use undo arp detection trust to restore the default.

By default, the port is an ARP untrusted port.

Examples

# Configure GigabitEthernet 1/0/1 as an ARP trusted port.

<Sysname> system-view

[Sysname] interface GigabitEthernet 1/0/1

[Sysname-GigabitEthernet1/0/1] arp detection trust

arp detection validate

Syntax

arp detection validate { dst-mac | ip | src-mac } *

undo arp detection validate [ dst-mac | ip | src-mac ] *

View

System view

Default level

2: System level

Parameters

dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this keyword specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests will be checked.

src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet header. If they are identical, the packet is considered valid. Otherwise, the packet is discarded.

Description

Use arp detection validate to configure ARP detection based on specified objects. You can specify one or more objects in one command line.

Use undo arp detection validate to remove detected objects. If no keyword is specified, all the detected objects are removed.

By default, ARP detection based on specified objects is disabled.

Examples

# Enable the checking of the MAC addresses and IP addresses of ARP packets.

<Sysname> system-view

[Sysname] arp detection validate dst-mac src-mac ip

arp restricted-forwarding enable

Syntax

arp restricted-forwarding enable

undo arp restricted-forwarding enable

View

VLAN view

Default level

2: System level

Parameters

None

Description

Use arp restricted-forwarding enable to enable ARP restricted forwarding.

Use undo arp restricted-forwarding enable to disable ARP restricted forwarding.

By default, ARP restricted forwarding is disabled.

Examples

# Enable ARP restricted forwarding in VLAN 1.

<Sysname> system-view

[Sysname] vlan 1

[Sysname-vlan1] arp restricted-forwarding enable

display arp detection

Syntax

display arp detection [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display arp detection to display the VLANs enabled with ARP detection.

Related commands: arp detection enable.

Examples

# Display the VLANs enabled with ARP detection.

<Sysname> display arp detection

ARP detection is enabled in the following VLANs:

1, 2, 4-5

Table 2 Command output

Field	Description
ARP detection is enabled in the following VLANs	VLANs that are enabled with ARP detection

display arp detection statistics

Syntax

display arp detection statistics [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

interface interface-type interface-number: Displays the ARP detection statistics of a specified interface.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display arp detection statistics to display statistics about ARP detection. This command only displays numbers of discarded packets. If no interface is specified, the statistics of all the interfaces will be displayed.

Examples

# Display the ARP detection statistics of all the interfaces.

<Sysname> display arp detection statistics

State: U-Untrusted T-Trusted

ARP packets dropped by ARP inspect checking:

Interface(State) IP Src-MAC Dst-MAC Inspect

GE1/0/1(U) 40 0 0 78

GE1/0/2(U) 0 0 0 0

GE1/0/3(T) 0 0 0 0

GE1/0/4(U) 0 0 30 0

Table 3 Command output

Field	Description
Interface(State)	State T or U identifies a trusted or untrusted port.
IP	Number of ARP packets discarded due to invalid source and destination IP addresses.
Src-MAC	Number of ARP packets discarded due to invalid source MAC address.
Dst-MAC	Number of ARP packets discarded due to invalid destination MAC address.
Inspect	Number of ARP packets that failed to pass ARP detection (based on static IP Source Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses).

reset arp detection statistics

Syntax

reset arp detection statistics [ interface interface-type interface-number ]

View

User view

Default level

2: System level

Parameters

interface interface-type interface-number: Clears the ARP detection statistics of a specified interface.

Description

Use reset arp detection statistics to clear ARP detection statistics of a specified interface. If no interface is specified, the statistics of all the interfaces will be cleared.

Examples

# Clear the ARP detection statistics of all the interfaces.

<Sysname> reset arp detection statistics

ARP gateway protection configuration commands

arp filter source

Syntax

arp filter source ip-address

undo arp filter source ip-address

View

Layer 2 Ethernet interface view, WLAN-ESS interface view

Default level

2: System level

Parameters

ip-address: IP address of a protected gateway.

Description

Use arp filter source to enable ARP gateway protection for a specified gateway.

Use undo arp filter source to disable ARP gateway protection for a specified gateway.

By default, ARP gateway protection is disabled.

Note:

· You can enable ARP gateway protection for up to eight gateways on a port.

· You cannot configure both arp filter source and arp filter binding commands on a port.

Examples

# Enable ARP gateway protection for the gateway with IP address 1.1.1.1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 1/0/1

[Sysname-GigabitEthernet1/0/1] arp filter source 1.1.1.1

ARP filtering configuration commands

arp filter binding

Syntax

arp filter binding ip-address mac-address

undo arp filter binding ip-address

View

Layer 2 Ethernet interface view, WLAN-ESS interface view

Default level

2: System level

Parameters

ip-address: Permitted sender IP address.

mac-address: Permitted sender MAC address.

Description

Use arp filter binding to configure an ARP filtering entry. If the sender IP and MAC addresses of an ARP packet match an ARP filtering entry, the ARP packet is permitted. If not, it is discarded.

Use undo arp filter binding to remove an ARP filtering entry.

By default, no ARP filtering entry is configured.

Note:

· You can configure up to eight ARP filtering entries on a port.

· You cannot configure both arp filter source and arp filter binding commands on a port.

Examples

# Configure an ARP filtering entry with permitted sender IP address 1.1.1.1 and MAC address 2-2-2.

<Sysname> system-view

[Sysname] interface GigabitEthernet 1/0/1

[Sysname-GigabitEthernet1/0/1] arp filter binding 1.1.1.1 2-2-2

07-Security Command Reference

display arp source-suppression

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us